http://blogs.msdn.com/stephen_mccloskey/default.aspxTripping through the managed landscape.en-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/stephen_mccloskey/archive/2004/03/09/86868.aspxTue, 09 Mar 2004 22:41:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:86868Stephen_McCloskey9http://blogs.msdn.com/stephen_mccloskey/comments/86868.aspxhttp://blogs.msdn.com/stephen_mccloskey/commentrss.aspx?PostID=86868<P class=MsoNormal style="MARGIN: 0in 0in 0pt">Here are some articles about password sniffing and real-world systems.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>Documented accounts of successful password sniff attacks do actually exist.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p>&nbsp;</o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">(I&#8217;m not trying to pick on the <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" /><st1:City w:st="on">OSS</st1:City> folks when it comes to poor password handling, but the two most recent incidents were connected with <st1:City w:st="on"><st1:place w:st="on">OSS</st1:place></st1:City> systems.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>In reality, <st1:City w:st="on"><st1:place w:st="on">OSS</st1:place></st1:City> and non-OSS systems are equally vulnerable to password sniffing attacks.)<SPAN style="mso-spacerun: yes">&nbsp; </SPAN><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;</SPAN></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">Debian had a few of its servers compromised a few months back.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>It looks like the attack started with a simple sniffed password. See <A href="http://kerneltrap.org/node/view/1717">this</A> and <A href="http://slashdot.org/article.pl?sid=03/11/28/050232&amp;mode=thread">this</A>.<o:p>&nbsp;</o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">The FSF Savannah project had the same attack successfully performed on them.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>The article does not mention the password sniffing part, but does say that the attack was identical to the Debian attack.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>Does anyone know if a sniffed password was also used in this attack? See <A href="http://linuxtoday.com/news_story.php3?ltsn=2003-12-04-014-26-SC-SV&amp;tbovrmode=3">this</A>.</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><A href="http://www.cert.org/incident_notes/IN-98.03.html">Here</A> is a random CERT account of someone who collected passwords.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>CERT claims some passwords where sniffed, but I have no idea how they would know that.</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">Finally, <A href="http://zdnet.com.com/2100-1106-871061.html">here</A> is a random article about E-Bay.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>There isn't any evidence that e-bay customers had their passwords sniffed, though.&nbsp;<SPAN style="mso-spacerun: yes">&nbsp;</SPAN></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">Although password sniffing is rare, it is still something that people should worry about.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>Common sense dictates that we shouldn&#8217;t be storing or sending plaintext passwords.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">Although your chances of getting struck by lightening are pretty low, you should still get out of the water when a thunder-storm arrives.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN></P><img src="http://blogs.msdn.com/aggbug.aspx?PostID=86868" width="1" height="1">http://blogs.msdn.com/stephen_mccloskey/archive/2004/02/27/81375.aspxSat, 28 Feb 2004 02:34:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:81375Stephen_McCloskey10http://blogs.msdn.com/stephen_mccloskey/comments/81375.aspxhttp://blogs.msdn.com/stephen_mccloskey/commentrss.aspx?PostID=81375<P class=MsoNormal style="MARGIN: 0in 0in 0pt">Why does the ASP.net administrative site send your plaintext password to you in email whenever you change it?<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>This strikes me as a bad idea.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>For that matter, why doesn&#8217;t the ASP.net site use https on the page that allows you to change your password?<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>Your password is not very secure if the darn thing is floating around the internet and in random mail boxes - in plaintext.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>Jeez!<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>Packets can be sniffed and most mail boxes can be read by an administrator (or whoever has access to the backup).<SPAN style="mso-spacerun: yes">&nbsp; </SPAN></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p>&nbsp;</o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">Passwords are like an infectious disease.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>You want to handle them carefully and avoid them whenever possible.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>They are an essential part of modern applications, but many developers don&#8217;t respect how easily they can be compromised if mishandled.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>Fear the evil password! Don&#8217;t ever write an app that tosses them around in plaintext! </P><img src="http://blogs.msdn.com/aggbug.aspx?PostID=81375" width="1" height="1">